Difference between revisions of "Containers and virtual machines"

From Wiki at Neela Nurseries
Jump to: navigation, search
m (^ Docker Compose: - adding notes on vulnerability scanning.)
(^ private Docker registries: returning to add link to Lathonez blog post on private Docker registries set up behind apache2.)
Line 184: Line 184:
  
 
=== [[#top|^]] private Docker registries ===
 
=== [[#top|^]] private Docker registries ===
 +
One of the later references found, but one of the most helpful to putting all the pieces together and to understanding how to test them, and why they're there:
 +
*  https://lathonez.com/2016/docker-registry-apache-letsencrypt/
 +
This post from 2016 by writer Lathonez.
 +
 +
 
Notes on how to set up a Docker container registry, a networked server from which Docker images can be accessed and shared:
 
Notes on how to set up a Docker container registry, a networked server from which Docker images can be accessed and shared:
 
*  https://docs.docker.com/registry/deploying/
 
*  https://docs.docker.com/registry/deploying/

Revision as of 05:01, 30 June 2021

Unix and Linux config :: Containers :: Clusters :: <link>


Contents

^ Container Software

A promising starting point, collection of six articles / tutorials on Docker containers:

 *  https://medium.com/sysf/docker/home

A general note following about three days' Docker container experimentation, and to question "should I be using a Docker container interactively, running multiple apps, some simultaneously?". (Note the following forum post chain is a quagmire of issues and opions!):

 *  https://news.ycombinator.com/item?id=7950326

^ Docker starting point

Notes on Docker containerizing software. Note, to get a practical start it is a good and or needed step to create a user account with Docker dot com. Single user and free accounts with some advanced Docker features disabled are available. A good starting tutorial for beginners is written by one Brian Hogan of Digital Ocean, this article published 2018 July 5. First reference in list here:

Ted noting too there may be a daily limit to the number of docker images which a user with a free account can push to Docker's image repository. Docker's image repository provides URLs of the form https://hub.docker.com/u/<user_name>, where username is the given person's Docker account user name.

^ Docker registries and repositories

Nick Janetakis writes a pretty concise brief article to describe what are Docker repositories and Docker registries. An image repository holds versions (committed and tagged versions) of a given Docker image. A registry holds zero or more Docker repositories, and is generally a full-fledged always live service that's accessible on the internet or on an intranet.


^ specific commands

Start a docker image with access to a particular host directory:

^ docker commit ...



^ docker push [<optional_remote_registry>/]<image_name>[:<optional_tag>]

Series of docker push invocations for a work-in-progress image. Note the tag names are optional until one needs push an image that's being amended, such that it is a newer or different version of an existing image on the remote Docker repository:

  886  docker push tedhavelkaad0602/ubuntu-git-plus-arm-none-eabi-gcc
  932  docker push tedhavelkaad0602/ubuntu-git-plus-arm-none-eabi-gcc:version-0p2
  944  docker push tedhavelkaad0602/ubuntu-git-plus-arm-none-eabi-gcc:version-0p3
  962  docker push tedhavelkaad0602/ubuntu-git-plus-arm-none-eabi-gcc:version-0p4
  965  docker push tedhavelkaad0602/ubuntu-git-plus-arm-none-eabi-gcc:version-0p5

And here is a link to an article describing Docker push command syntax:

We'll note this link also in the References section of this page. Takeaway here is that the third token in the above push command examples, the latter four examples, that token has the form "<docker_user_name>/<image_name>:<docker_tag>".

This article helped get us closer to understanding how Docker CLI parses the argument to a given docker push argument. Even with this understanding some further trial and error helped clarify what is needed in the form of this argument, which identifies a Docker image to be pushed to a private, non-docker.io registry. Some excerpts from the command line:

vmguest@vm-ubuntu-0p2:~$ docker images
REPOSITORY                                           TAG           IMAGE ID       CREATED        SIZE
ubuntu-20-04-lts                                     version-0p0   065cf14a189c   8 days ago     135MB
localhost:5000/my-ubuntu                             latest        065cf14a189c   8 days ago     135MB
tedhavelkaad0602/ubuntu-git-plus-arm-none-eabi-gcc   version-0p8   bf980d48d9ab   8 days ago     2.98GB
tedhavelkaad0602/ubuntu-git-plus-arm-none-eabi-gcc   version-0p2   4110ca98063a   2 weeks ago    309MB
tedhavelkaad0602/ubuntu-git-plus-arm-none-eabi-gcc   latest        f24e27e3d998   2 weeks ago    245MB
registry                                             2             1fd8e1b0bb7e   2 months ago   26.2MB
docker-registry.neelanurseries.com/hello-world       version-0p0   d1165f221234   3 months ago   13.3kB
vmguest@vm-ubuntu-0p2:~$ docker push ubuntu-20-04-lts:version-0p0 docker-registry.neelanurseries.com/ubuntu-20-04-lts:version-0p0
"docker push" requires exactly 1 argument.
See 'docker push --help'.

Usage:  docker push [OPTIONS] NAME[:TAG]

Push an image or a repository to a registry
vmguest@vm-ubuntu-0p2:~$ docker push ubuntu-20-04-lts:version-0p0
The push refers to repository [docker.io/library/ubuntu-20-04-lts]
d07b1c131bb8: Preparing 
2788d2f5dd8f: Preparing 
04d694391e96: Preparing 
48ed8163532b: Preparing 
denied: requested access to the resource is denied
vmguest@vm-ubuntu-0p2:~$ docker push docker-registry.neelanurseries.com/ubuntu-20-04-lts:version-0p0
The push refers to repository [docker-registry.neelanurseries.com/ubuntu-20-04-lts]
An image does not exist locally with the tag: docker-registry.neelanurseries.com/ubuntu-20-04-lts
vmguest@vm-ubuntu-0p2:~$ docker tag ubuntu-20-04-lts:version-0p0 docker-registry.neelanurseries.com/ubuntu-20-04-lts:version-0p0
vmguest@vm-ubuntu-0p2:~$ docker push docker-registry.neelanurseries.com/ubuntu-20-04-lts:version-0p0
The push refers to repository [docker-registry.neelanurseries.com/ubuntu-20-04-lts]
d07b1c131bb8: Pushed 
2788d2f5dd8f: Pushed 
04d694391e96: Pushed 
48ed8163532b: Pushed 
version-0p0: digest: sha256:114bbce1997fa476da56c3958cb3ca13269a54b0a97dfd3667543c7778287bf2 size: 1150


Delete a Docker repository on Docker hub:

^ docker container rm [...], docker image rm [...]

Delete (remove) a local Docker image . . . first must remove all local containers which use given image:

Commands which worked locally:

 1036  docker ps -a
 1037  docker container rm bdc45e3021ad
 1038  docker ps -a
 1039  docker container rm 3899ce3b4c5f 85206c6c2565
 1040  docker ps -a
 1041  docker container rm e530246d9393 775ef655da0f 51a5967aecf8
 1042  docker ps -a
   .
   .
   .
 1047  docker image rm tedhavelkaad0602/ubuntu-04-vim--openssh-server--man-db
 1048  docker images
 1049  docker image rm tedhavelkaad0602/ubuntu-nodejs-net-tools
 1050  docker images


Secure shell into, or otherwise connect with a running Docker container in and of a Linux environment:

A couple examples of running second bash instance of a given Docker container, not a login, but provides second interactive window or interface to a given Docker container:

^ docker exec [options] [command_in_container]

  937  docker exec -t -i a42e2e801d60 bash
  938  docker exec -i -t 51a5967aecf8 bash

Note this can have unintended consequences given that there's no ssh server running to handle multiple, or additional logins!

-- Enable USB access in Docker container --


^ Docker volumes

https://www.digitalocean.com/community/tutorials/how-to-share-data-between-docker-containers


^ Anatomy of a Dockerfile

Ok Ted needs to figure out what are Dockerfiles and how should they be authored and maintained. One example that's annotated:

A link to a Docker based project which comes very close to what we're working on for an embedded development toolchain and environment that's fully tracked, easy to reproduce on demand:


^ Promising Docker images


^ to access physical devices within container


^ private Docker registries

One of the later references found, but one of the most helpful to putting all the pieces together and to understanding how to test them, and why they're there:

This post from 2016 by writer Lathonez.


Notes on how to set up a Docker container registry, a networked server from which Docker images can be accessed and shared:

Setting up authentication using htaccess files:

Some requirements for the above link to Docker registry recipe:

 
Above tutorials and articles don't paint a clear easy path to setting up a first, basic Docker registry. Taking up a different path here at DigitalOcean:

Regarding port forwarding in apache2 config files:

There is some nginx configuration stuff that's not obvious how to port to apache2 config files, but following how-to article gives a clue with "Header set Host ..." and "RequestHeader set X-Forwarded-Proto "https"":


^ web server configuration

A dedicated virtual machine can easily have one web server configured to act as a reverse proxy in front of a Docker registry. In this context we mean 'proxy' as in a proxy for the public to reach one's internal, in this case Docker registry server. But for development purposes where our virtual machine options are not yet easily configured to be accessible on a LAN, we face a need to set up a first private registry on an existing cloud host which has a name and fixed IP. And there is already a web server config in place there, which we want to leave intact while testing the reverse proxy and other Docker registry pieces. Hence this section in this notes page.

^ apache2 plus nginx

This section contains references and notes regarding how to set up apache2 and nginx on one server.

^ to run multiple instances of apache2

At startpage.com entered search phrase "possible to run apache2 twice with distinct configurations". First result helpful:

^ Reverse proxy choices

Excerpt from https://help.sonatype.com/repomanager3/system-configuration/configuring-ssl#ConfiguringSSL-InboundSSL-ConfiguringtoServeContentviaHTTPS:

Inbound SSL - Configuring to Serve Content via HTTPS
Available in Nexus Repository OSS and Nexus Repository Pro

Providing access to the user interface and content via HTTPS is a best practice.

You have two options:

Use a separate reverse proxy server in front of the repository manager to manage HTTPS
Configure the repository manager itself to serve HTTPS directly
Using A Reverse Proxy Server
A common approach is to access the repository manager through a dedicated server which answers HTTPS requests on behalf of the repository manager - these servers are called reverse proxies or SSL/TLS terminators. Subsequently requests are forwarded to the repository manager via HTTP and responses received via HTTP are then sent back to the requestor via HTTPS.

There are a few advantages to using these which can be discussed with your networking team. For example, the repository manager can be upgraded/installed without the need to work with a custom JVM keystore. The reverse proxy could already be in place for other systems in your network. Common reverse proxy choices are Apache httpd, nginx, Eclipse Jetty or even dedicated hardware appliances. All of them can be configured to serve SSL content, and there is a large amount of reference material available online.

Serving SSL Directly 
The second approach is to use the Eclipse Jetty instance that is distributed with the repository manager to accept HTTPS connections.

How to Enable...

^ local private registry with only apache2-utils

Following article good, well written! Describes in clear detail and incrementally how to set up private Docker registry. Gives references. Explains need for some kind of web service provision to achieve a remotely accessible private Docker registry. Key words Gabriel Tanner private Docker registry :

^ Docker Features Not Done

Apparently there is no ready facility to list the images in a private Docker registry, one that's running from the official registry:2 Docker image. A forum post includes mentions of two possible home brew scripts to provide such a listing:

The second of the two scripts is hosted at Github. Need to check the license applied to it, looks like there are recent updates to this project, from about 2021 March:


^ Outline of Docker Team How-To

Sections of document to share with work team:

  1. End User Use of Docker
  2. How To Install Docker Client 'docker-ce'
  3. Basic Interactions with Docker Images
    • login
    • pull
    • run
    • stop
    • modify
    • commit
    • tag
    • push
    • logoff
  4. Private Docker Registry Configuration


^ Docker Compose

Docker compose files can coordinate and run multiple Docker containers which work together to provide a larger service or set of services. A starting point for understanding how to utilize Docker compose files, which are drafted in a mark-up language named YAML, can be found here:

In contrast a dockerfile is a set of build instructions, which could be run at a command line to manually create a Docker image. A dockerfile provides a way to automate the image building process, and is much lighter weight in terms of disk space taken compared with a typical image. A one line command in a dockerfile could pull in a multi-megabyte library or binary. Some information on dockerfiles here:

^ docker scan image

Starting point to understand Docker vulnerability scanning:

An example vulnerability found in certain versions of Perl which ship with Debian:


- - - - -   - - - - -   - - - - -   - - - - -   - - - - -   - - - - -   - - - - -   - - - - -   - - - - -

 

^ Kubernetes Container Software

Kubernetes notes 2021-06-09 This section a stub section.

- - - - -   - - - - -   - - - - -   - - - - -   - - - - -   - - - - -   - - - - -   - - - - -   - - - - -

 

^ Oracle Corporation VirtualBox software

VirtualBox on-line manual